Top 10 AWS Security Tips: #8 Encrypt Sensitive Data

Last week, we tackled the basics of monitoring your AWS deployment. This week we’re going to shift gears and take a look at encryption.

Data Drives Your Business

Your business runs on data and information. One of the biggest concerns about moving to the public cloud is the safety of that data. With a little due diligence, you can put those concerns to bed.

There are three key steps to protections your data in the cloud:

Identify and classify your data

Protect your data at rest

Protect your data in motion

Identify & Classify

You can’t take steps to protect your data until you understand what you have, what it’s worth to you and your customers, and where it’s stored and processed.

Looking at your network, what type of customer data do you store? Any intellectual property that gives you a competitive advantage? Access credentials for your systems?

Start by taking an inventory of your data.

Now, go through that inventory and try to prioritze the data. How important is it to your customers? Your business operations? Your reputation? You don’t need hard values for the data, just a rough idea of what’s important to your business.

Once you have that list, track down where and how you store that data and where it is processed. These are the areas you should focus on securing first.

Protect Your Data At Rest

How you protect your data at rest depends heavily on where you store it. If you’re storing your data as files on a drive, you can either encrypt the entire drive or encrypt file-by-file. If your data is stored in a database, you can either encrypt the entire database or encrypt value-by-value.

In both scenarios–file or database–your choice really boils down to:

Encrypt the underlying storage so everything get encrypted automatically

Encrypt each piece of data as it’s stored

From a usability perspective, the less you need to worry about encryption for day-to-day operations, the better. This usually leads to the encryption of the underlying storage. However this can also impose a performance penalty on your deployment.

Protect Your Data In Motion

Use SSL/TLS for any HTTP traffic (that’s the “S” in “HTTPS”) with a validate certificate from a trusted 3rd party1. If you’re deployment isn’t using HTTP as a transport, find the encrypted equivalent for the protocol you use.

The performance impact of an all encrypted communications channel in negligible. There is no reason not to use an encrypted transport.

Protect Your Data Everywhere

Encryption can be a tricky subject to address but there’s no need to be intimidated. Take an inventory of your data, prioritize it by value. Work through the inventory applying the appropriate level of encryption to each data store in turn. Make sure that all communications within your deployment are encrypted.

Taking these simple steps will greatly increase the security of your data at rest and in motion.

What do you do to protect your sensitive data in the cloud? Please share your tips in the comments! And if you’re interested in securing your EC2 or VPC instances, check out our new Deep Security as a Service for cloud servers, currently in free Beta.

1Full disclosure, Trend Micro is in the SSL certificate business but a certificate from any trusted 3rd party will get the job done. A quick search for “SSL certificate vendors” will turn up quite a few possibilities.

Richard Watson

My wife and I fell head over heels when we first heard about cloud computing. We were looking for a simple, yet cost effective method to reduce our computing infrastructure headaches and CSU offered the perfect solution. They introduced us to a variety of cloud services that we had no idea existed; they literally helped us with transforming our business. Here’s a link to their website http://www.csucentral.com.